Question 1

You work as the systems administrator at the Flower Mound Organic Farm Collective and are in the process of upgrading the organization's network from Windows NT 4.0 to Windows 2000. You don't have the funds to upgrade your DNS server from NT 4.0 to Win2K, and you wondering whether you can use the NT 4.0 DNS server to support Active Directory (AD). Which of the following steps should you take to configure the NT 4.0 DNS server to support AD? (Choose all that apply.)

Configure the DNS Server to support Dynamic Updates.

Upgrade the server to Service Pack 4 (SP4) or a more recent service pack.

Make sure that the NT 4.0 DNS server is authorized in AD.

Make sure that the primary DNS server authoritative for the Netlogon service names can support SRV records.

Question 2

You want to use your corporate intranet to set up an IP Security (IPSec) connection for two computers located on different sides of the city. Each computer is connected to a local Cisco Systems 2501 router, which is connected to your ISP's router. Traffic travels across three routers on the ISP's network, then to the corresponding router on the other side, and finally to the other PC. These routers are all part of the intranet, although one routes traffic out to the Internet as well.

You've outsourced most of your WAN infrastructure, so you're only responsible for the LAN up to the 2501 routers. Which of the following do you need to do to set up an IPSec connection between these two locations?

Set up IPSec on each end-node computer, then have your ISP configure the routers to let TCP traffic pass through on port 108.

Configure the end-node computers with IPSec; you don't need to configure the routers to pass this encrypted traffic across your WAN.

Set up IPSec on each end-node computer, then have your ISP configure the routers to let traffic pass through on port 31337.

Set up IPSec on each-end node computer, then have your ISP configure the routers to let traffic pass through on port 1138.

Question 3

Enrious and his manager, Petal, are discussing the administration of the RAS servers at the Flower Mound Organic Farm Collective.

Petal: "I want you to set up the remote access policy so that the system locks users out if they enter the wrong password several times when they're dialing into our server."

Enrious: "How about if we lock users out for 48 hours if they enter the wrong password five consecutive times when using a dial-up connection?"

Petal: "That sounds good. Now, can you explain to me how you set up the RAS server?"

Enrious: "I've configured the server with default settings. I created a new group called flowerrasusers, and it contains users who require the ability to access our network over a dial-up connection."

Petal: "I'm still concerned that people who aren't members of this group are somehow gaining dial-up access. Also, can you limit access to non-business hours?"

Enrious: "Yes, that should be possible."

After the meeting, Petal hands Enrious the following goals for the RAS servers:

Primary Goal:

Deny users access for 48 hours if they enter the incorrect password five times.

Secondary Goals:

Limit access to RAS to members of the flowerrasusers group.

Restrict RAS access to between 5:00 P.M. and 8:00 A.M. for normal users.

Give Administrators unlimited access to the RAS server at all times.

Which of the following achieves the primary goal but doesn't achieve any of the secondary goals?

Run regedit, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\RemoteAccess\Parameters\ AccountLockout subkey, and change the entry for MaxDenials from 0 to 5.

Answer to Question 1

The correct answers are B—Upgrade the server to Service Pack 4 (SP4) or a more recent service pack; and D—Make sure that the primary DNS server authoritative for the Netlogon service names can support SRV records. SP4 or later is required on the NT 4.0 DNS server. The NT 4.0 DNS server must be the primary DNS server authoritative for Netlogon service names and support the SRV records. SP4 introduced this capability. Dynamic updates of DNS records aren't required for AD, although Microsoft recommends it. DHCP servers and Remote Installation Services (RIS) servers must not be authorized in AD, but a server running NT 4.0 can't be (nor does it need to be) authorized as a DC in AD.

Answer to Question 2

The correct answer is B—Configure the end-node computers with IPSec; you don't need to configure the routers to pass this encrypted traffic across your WAN. You must activate IPSec on the clients only. A tunnel activates between the two endpoints that use encrypted IP communication. One end encrypts the communication, and the other end decrypts it. Routers and switches don't need to be IPSec-aware.

Answer to Question 3

The correct answer is A—Run regedit, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\RemoteAccess\Parameters\ AccountLockout subkey, and change the entry for MaxDenials from 0 to 5. The default lockout period is 48 hours, which the registry represents in hexadecimal as b40. If that doesn't make any sense to you, translate the value back to decimal and divide by 60. If you want to change the value to 24 hours, simply multiply 24 by 60 and translate the result into hexadecimal. The subkey to change is in the same area and is called ResetTime.